ASA and FTD Security Appliances Might Fail To Pass Traffic After 213 Days Of Uptime

I’ve recently had to work on sev1 case where suddenly one of my customers environment stopped responding to outside requests.

As the bug hits your security appliance the ARP will gradually clear and asp drop counter for Punt Rate Limit Exceeded will keep increasing.

What makes this bug even more difficult is not all services will be impacted right away. In my situation I was able to ssh to the impacted device but couldn’t find anything wrong.  After a while my ssh session was dropped and at that moment I knew something weird is going on.

Console to the device to verify asp drop and up time to confirmed if you hit Cisco Bug CSCvd78303.

 

!Verify up time

ASA-Pri/admin/sec/act> sh ver | grep up

ASA-Pri up 224 days 16 hours

failover cluster up 4 years 334 days

 

!Verify asp drop increasing for Punt

ASA-Pri/admin/sec/act# sh asp drop | in Punt

Punt rate limit exceeded (punt-rate-limit) 225370

 

!Verify arp table to be empty(or almost)

ASA-Pri/admin/sec/act# sh arp

 

There are two ways mitigate the issue in case you are in the same boat.

If your security appliance is not passing the traffic due to the bug fastest approach will be to reload your device to clear up counter. Please make sure to write memory/copy run start before!  Once appliance is back your services should return to normal.

Now, in order to mitigated the issue once and for all its time to plan the maintenance window to upgrade your firmware.

Please refer to Cisco upgrade path to find your fix release. Once you are done with an upgrade you should be good from now on.

Table 1

Impacted Software Version(s) Fixed Software Version(s)
FTD 6.1(0)1, 6.1(0)2 FTD 6.1(0)3 or later
FTD 6.2(0) FTD 6.2(0)1 or later
ASA 9.1(7)9, 9.1(7)11, 9.1(7)12, 9.1.(7)13, 9.1(7)15 ASA 9.1(7)16 or later
ASA 9.2(4)15, 9.2(4)17, 9.2(4)18 ASA 9.2(4)20 or later
ASA 9.4(3)6, 9.4(3)8, 9.4(3)11, 9.4(3)12, 9.4(4), 9.4(4)2 ASA 9.4(4)5 or later
ASA 9.5(3), 9.5(3)1, 9.5(3)2, 9.5(3)6 ASA 9.6(3)1 or later
ASA 9.6(2)1, 9.6(2)2, 9.6(2)3, 9.6(2)4, 9.6(2)7, 9.6(2)11, 9.6(2)13, 9.6(3) ASA 9.6(3)1 or later
ASA 9.7(1), 9.7(1)2 ASA 9.7(1)4 or later

 

Lastly, I strongly encourage for you to sign up for Cisco Notification Service to receive similar field notices in the future.

Regards,
Bart

Add a Comment

Your email address will not be published. Required fields are marked *